27 August 2013

1024 Bit RSA Key Size END OF LIFE Announced!

Until the recently, the RSA algorithm, first publicly described in 1977 has been the only algorithm available for commercial digital signing certificates. The RSA algorithm remains the de-facto standard although commercial certificates based on the DSA and ECC algorithms are now available.

The larger the certificate key size in an RSA certificate, the more difficult it is to compromise the encryption.

As raw computing power increases over time it becomes possible to factor or crack smaller sized RSA keys. Key sizes smaller than 1024 bits were voluntarily discontinued by Microsoft on 12 December, 2012.

Seventeen RSA key sizes have been factored since 1991. Most recently most of the industry has standardized on certificates with 1024-bit RSA keys. However, industry experts warn that the oft used 1024-bit RSA key size is now at risk of being compromised by cyber criminals.

As a proactive measure, effective 31 December, 2013, the NATIONAL INSTITUTE OF STANDARDS and TECHNOLOGY [NIST] has recommended that 1024-bit RSA certificates be eliminated and replaced with 2048-bit or stronger keys.

As a result of the NIST recommendation, the Certification Authority/ Browser (CA/B) Forum, created to develop best practices within the SSL/TLS industry, created a mandate to bring the 1024-bit RSA key size to end of life by December 31st, 2013.


The Responsibility of a CA

All responsible Certificate Authorities (CAs) should be informing their customer base of this regulation change and assisting them with their migration to a more secure keysize.

Due to the industry’s end-of-life mandate on 1024-bit certificates, Certification Authorities have the difficult requirement to revoke 1024-bit RSA certificates that expire after 12/31/13.


What Does This Mean?

As a result of these changes, mandated by NIST, all current CERTS with a key size of 1024 bits or less than bits will have to be replaced by 31 December, 2013, or users of smaller certs will run the risk of having them denied when they are checked in situations where they are used for encryptions.



For More Information:







SUMMARY:
 

Start planning to upgrade your SSL / TLS / DOMAIN KEY and DKIM certificates now.  Don't wait for the "rush," because most of them will become obsolete on 31 December, 2013.

Remember, the Holidays are coming, too.  If an upgrade to your certificates requires anything more than an "automatic approval" your upgrade could potentially be delayed and your websites or e-mail stop working because of an invalid certificate key length.

=====================

Be certain to like us on FaceBook, too.